Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

The privacy policy is much more than just a legal text: it reflects a company's commitment to protecting the personal data of its clients, prospects, and employees. In a context where the provisions of the GDPR require transparency and rigor, having a clear and understandable policy is essential.

This document, sometimes referred to asa "Privacy Policy,""Data Protection Policy," or "Privacy Statement," not only enables you to comply with legal obligations, but also helps build trust with your audience and users. Whether it involves collecting emails for a newsletter, tracking statistical analyses, connecting to applications, or managing clients accounts, the policy formalizes your practices and secures your processing.

Accessible and visible, this document is also a practical tool for your internal teams and administration, clarifying procedures and guiding the implementation of data protection measures. In short, the privacy policy is a compliance tool, a business lever, and an operational guide for your employees.

Image illustrating the privacy policy.

Information for data subjects: What is a privacy policy?

Under the GDPR, all data controllers are required to inform data subjects in a clear and transparent manner about the use of their personal data. This obligation stems in particular from Articles 12 to 14 of GDPR, which specify the requirements for transparency, information, and communication of individuals' rights. Article 12 requires the data controller to provide concise, transparent, understandable, and easily accessible information. Article 13 details the information to be provided when data is collected from the Data subject, and Article 14 when it is not collected directly from the individual.

This obligation is primarily reflected in the privacy policy, which is a key document for any organization. It ensures compliance with the principle of transparency and formalizes the company's commitments to users.

At Dipeeo, we recommend not grouping all audiences together in a single document. It is preferable to adopt a policy for each type of person concerned, so that the information is clear and easily accessible:

  • Policy for employees: collection and processing of data related to employment contracts, HR management, video surveillance, internal monitoring, etc.
  • Policy for applicants : processing of applications, Data retention resumes, communication on recruitment, etc.
  • Policy for prospects, clients partners: collection for prospecting, management of requests and complaints, marketing, contract monitoring, use of the site, connection to networks and other applications, etc.

A single document that is too long and dense becomes counterproductive: it can be unreadable and no longer meets the legal requirements for clarity and transparency. It is therefore crucial to use simple vocabulary that is understandable to everyone, tailored to each audience, so that everyone can easily understand their rights and how their data is processed.

A privacy policy explains how the organization collects, uses, stores, and protects personal data, and it plays an educational role by informing data subjects about:

  • Categories of data collected: personal and/or professional identification data, contact details, login details, cookies, etc.
  • Purposes of processing: account management, marketing, prospecting, analytics, online video tracking, service improvement.
  • The legal basis for processing: consent, legitimate interest, legal obligation, performance of a contract.
  • User rights: access, rectification, deletion, restriction, portability, and objection.
  • Data retention period: storage period and deletion criteria.
  • Security measures: technical and organizational protocols to protect information.
  • etc.

In summary, the privacy policy is a central and strategic document that formalizes the company's compliance approach and ensures a clear commitment to the protection of personal data.

How to draft a privacy policy that complies with GDPR

Implementing a GDPR privacy policy GDPR structured and thoughtful work . The goal is to ensure that data subjects clearly understand how their data is collected, used, and protected, while complying with legal obligations.

1. Map data processing

Before writing anything, identify precisely all data processing carried out by the organization:

  • What types of data are collected? (personal identification data, contact details, browsing data, professional information, etc.)
  • For what purposes? ( clients management, marketing, prospecting, HR monitoring, analytics, security, etc.)

This step ensures that the policy accurately reflects actual practices and covers all processing operations.

2. Clearly define the legal basis and purposes

Each processing operation must have a clearly identified legal basis and a Purpose :

  • Explicit consent when necessary.
  • Legitimate interest for certain professional actions (ensuring that this is balanced with individual rights).
  • Legal obligations or performance of a contract.

It is important that this information is presented in a simple and understandable manner, so that every Data subject why their data is being processed and on what legal basis.

3. Structure the policy to make it easier to read

Even without detailing the types of audiences, the policy must remain clear and intuitive:

  • Use clear titles and subtitles.
  • Write concise sentences using simple vocabulary.

A logical and clear structure makes it easier for users to understand and complies with the GDPR requirements (Article 12).

Image illustrating the drafting of a GDPR privacy policy.

What are the risks associated with a non-compliant or incomplete privacy policy?

Publishing an inadequate or difficult-to-read privacy policy exposes you to several serious risks. This is particularly true for clients, prospects, and partners, since this policy is generally accessible online: an incomplete or unclear document can be a clear indication of a lack of compliance.

  1. Risk of increased scrutiny: A policy that lacks transparency may attract the attention of the CNIL (National Commission for Information Technology and Civil Liberties). Authorities may interpret the absence of clear information as a sign that the company is not fully complying with its GDPR obligations, which may lead to controls or even sanctions.
  2. Actual penalties already imposed: Since early 2025, the CNIL (National Commission for Information Technology and Civil Liberties) stepped up its decisions against companies for breaches relating tothe information of data subjects. These penalties show that the data regulator takes transparency very seriously and that a poorly designed policy can be costly.
  3. Damage to trust and reputation: Users who do not understand how their data is processed are likely to become suspicious or disengaged. A policy that is difficult to understand can damage your credibility and affect relationships with your clients, prospects, or partners.
  4. Missed opportunity for transparency: A well-written policy is not only a protective tool, but also a way to showcase your best practices. An incomplete or difficult-to-read version deprives the company of a valuable lever for building trust.

Ready-to-customize privacy policy template

To facilitate the implementation of a GDPR privacy policy, we have created a template that is ready to be customized. It includes all the essential elements (identification of the controller, data collected, purposes, legal bases, individual rights, security and Data retention period, etc.) and can be quickly adapted to your organization.

This template saves time, ensures that your policy is clear and understandable, and guarantees minimum compliance with legal requirements, while remaining accessible and educational for your users.

Download a privacy policy template

Access a customizable GDPR template GDPR easily create your own privacy policy. Ideal for websites, blogs, e-commerce, or applications.
Download

Best practices for an effective privacy policy

For a privacy policy to fulfill its role, it must be easily accessible and visible to all users:

  • Website integration: the policy must be included in the footer and accessible at all times from all pages of the website.
  • Link to the central document: all information notices related to data collection—for example, under a contact form, during a download, or in a marketing email—must include a hyperlink to the central policy.
  • Clarity and simplicity: use vocabulary that everyone can understand and concise sentences so that the information can be quickly absorbed.
  • Regular updates: Ensure that the policy always reflects your current practices and is revised whenever there are changes or modifications to processing or the legal framework.

By applying these best practices, you ensure transparency, trust, and compliance while simplifying access to information for your users.

Data protection: focus on cookies

The management of cookies and other trackers deserves special attention. We recommend publishing a separate cookie policy rather than including all the information in the general privacy policy. This prevents users from being overwhelmed by an overly dense document and makes it easier for them to understand the purposes, types of cookies used (analytical, marketing, functional), and consent options.

A dedicated cookie policy makes information clear and accessible to all visitors to the site, while complying with the transparency and consent requirements set out in the GDPR the e-Privacy Directive. It may include:

  • The different categories of cookies used on the website.
  • The specific purposes of each cookie.
  • The ability for users to refuse or change their choices at any time.
  • The link to the general privacy policy for additional information on data processing.

This approach ensures that users fully understand their rights and builds trust in the use of the site.

Conclusion

Publishing a privacy policy is more than just a regulatory requirement: it is a strategic tool that formalizes transparency, builds trust, and guides your teams in managing personal data. When well-written, it helps secure your data processing, clarify your internal practices, and support your clients, prospects, and partners throughout their journey in accordance with applicable regulations.

However, having a comprehensive policy is not enough. The key is to strictly comply with what is stated in it, particularly with regard to Data retention periods, security, and the rights Data retention subjects. A privacy policy is just one document among many: it must be part of an overall compliance framework, alongside the processing register, internal procedures, cookie management, contracts with processors security measures.

In short, the privacy policy formalizes your commitments, but actual compliance depends on the effective implementation of your practices. It is this consistency between the document and concrete actions that guarantees the protection of users' personal data, strengthens the company's credibility, and enables you to meet the requirements of the GDPR provisions while maintaining a lasting relationship of trust with your audience.

Samia Rahammia
Samia Rahammia

IT and Data Lawyer and Marketing Project Manager